A recent Ars Technica Op-Ed post by Nicholas Weaver took a harsh view on Tor routers, calling their basic premise flawed. We acknowledge that Tor routers are not a privacy silver bullet; we’ve been vocal about the need for people to use privacy add-ons with their web browsers. But I feel Weaver's article was one-sided and overstated the case against Tor routers; many of the arguments he made against them could be applied to VPNs as well.
Some of Weaver's points of contention were:
- If you want protection from your ISP, you should use a VPN;
- A personal VPN hosted on Amazon EC2 is a reasonable choice;
- VPN providers offer “better performance and equal privacy”;
- Many Tor exit nodes are malicious (implying that some VPN providers aren’t);
- Browser fingerprinting can break the anonymity of Tor without the Tor Browser Bundle; and
- Tor router makers are money-grabbing scumbags.
I'll address each of these in turn; some of them are good points, others not as much. I may be biased because we make a Tor router, and I think we’ve made a pretty good device. But I’ve tried to be as fair as I can here and acknowledge the limits of Tor routers.